Removed all textile references and correct sanitation of comments

admin/bm.php

@@ -208,7 +208,17 @@ if ($user->isAdmin()) {
 							}
 ?>
 								<p>
-									<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;"><a href="http://hobix.com/textile/">Textile</a> <?php echo __("syntax is supported.")?></span>
+									<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;">
+                                    	<?php echo __("Some HTML allowed")?>:<br />
+										&nbsp;&nbsp;&nbsp;&nbsp;
+										<code>
+                                            &lt;strong&gt; &lt;em&gt; &lt;del&gt; &lt;ul&gt;  &lt;ol&gt;  &lt;li&gt; &lt;a&gt;
+                                            <br />
+                                            &nbsp;&nbsp;&nbsp;&nbsp;&lt;blockquote&gt;
+                                            &lt;code&gt; &lt;pre&gt; &lt;img&gt;
+										</code>
+										<br /><br />
+                                    </span>
 								</p>
 								<p>
 									<input class="btn" type="submit" name="btnAdd" value="Create post" />

admin/comments.php

@@ -22,13 +22,12 @@ $isEdition = isset($_GET["edit"]);
 $commentId = ($isEdition) ? $_GET["edit"] : NULL;
 	
 if(isset($_POST["btnAdd"]))	{		
-	unset($_POST["btnAdd"]);
+	unset($_POST["btnAdd"]);	
 	
-	$textile = new Textile();
-	
-	$_POST["username"] = $textile->TextileThis(removeBadTags($_POST["username"]));
-	$_POST["email"] = $textile->TextileThis(removeBadTags($_POST["email"]));
-	$_POST["web"] = $textile->TextileThis(removeBadTags($_POST["web"]));
+	$_POST["username"] = strip_tags($_POST["username"]);
+	$_POST["email"] =  strip_tags($_POST["email"]);
+	$_POST["web"] = strip_tags($_POST["web"]);
+	$_POST["content"] = removeBadTags($_POST["content"], true);
 		
 	if (isset($_POST["id_comment"])) {
 		if ($isAdmin) {

admin/index.php

@@ -318,7 +318,7 @@ if ($user->isAuthenticated()) {
 										<br />
 										&nbsp;&nbsp;&nbsp;&nbsp;&lt;blockquote&gt;
                                         &lt;code&gt; &lt;pre&gt; &lt;img&gt;
-										<code>
+										</code>
 										<br /><br />
                                         Bookmarklet - <a class="bookmarklet" title="<?php echo __("Drag to the Bookmarks Toolbar")?>" href="javascript:var w; setTimeout('w.focus()',100);w=window.open('<?php echo $conf->urlGelato; ?>/admin/bm.php?url='+encodeURIComponent(location.href)+'&sel='+encodeURIComponent(window.getSelection()),'bookmarklet','toolbar=0,resizable=0,status=1,width=650,height=540,dependent=yes' ); w.focus();"><?php echo __("add to gelato")?></a>
                                         <br /><br />

classes/comments.class.php

@@ -28,9 +28,9 @@ class comments extends Conexion_Mysql {
 	}
 	
 	function generateCookie($fieldsArray) {
-		setcookie("cookie_gel_user", $fieldsArray["username"], time() + 30000000);
-		setcookie("cookie_gel_email", $fieldsArray["email"], time() + 30000000);
-		setcookie("cookie_gel_web", $fieldsArray["web"], time() + 30000000);
+		setcookie("cookie_gel_user", $fieldsArray["username"], time() + 30000000, "/");
+		setcookie("cookie_gel_email", $fieldsArray["email"], time() + 30000000, "/");
+		setcookie("cookie_gel_web", $fieldsArray["web"], time() + 30000000, "/");
 	}
 	
 	function isSpam($fieldsArray) {

classes/functions.php

@@ -401,7 +401,7 @@ if(!defined('entry') || !entry) die('Not a valid page');
 
 	function removeBadTags($source,$secure=false) {
 		if($secure){
-			$validTags ='<abbr><acronym><em><i><strong><b><span>';
+			$validTags ='<blockquote><code><em><i><strong><b><a>';
 		} else {
 			$validTags ='<p><ol><ul><li><a><abbr><acronym><blockquote><code><pre><em><i><strong><b><del><br><span><div><img>';
 		}

entry.php

@@ -56,7 +56,6 @@ if($installed) {
 }
 
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'configuration.class.php');
-require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'textile.class.php');
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'gelato.class.php');
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'templates.class.php');
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'themes.class.php');

themes/tumblr/index.htm

@@ -1,171 +1,178 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-<head>
-	{Gelato_includes}
-    <title>{Page_Title}</title>
-    <!--[if IE]>
-        <style type="text/css">
-            div.post div.quote span.quote big.quote {
-                line-height: 40px;
-            }
-        </style>
-    <![endif]-->
-</head>
-<body>
-    <div id="container">
-        <a href="{URL_Tumble}/rss.php"><img src="{URL_Tumble}/themes/{Template_name}/img/rss.gif" id="rss" alt="RSS" title="RSS" /></a>
-
-        <h1><a href="{URL_Tumble}/">{Title}</a></h1>
-
-            <div id="description">
-                {Description}
-            </div>
-
-		{if {$isAuthenticated}}
-			<div style="padding:4px; border:solid 2px #bbb; display:inline; background-color:#ddd; position:absolute; top:3px; right:3px;">
-				<b>Hi, {User}.</b>&nbsp;&nbsp;
-				<a target="_top" href="{URL_Tumble}/admin/index.php">Add/Edit my posts</a>&nbsp;&nbsp;
-				<a target="_top" href="{URL_Tumble}/admin/close.php">Sign out</a>
-			</div>
-		{/if}
-
-		{if {$error}}
-			<div class="error">{$error}</div>
-		{else}
-			{block {$rows} as {$row}}
-				<div class="date">
-					{$row.Date_Added}
-				</div>
-				{if {$row.postType}==1}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-
-						<div class="regular">
-							<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
-							{$row.Body}
-						</div>
-					</div>
-				{elseif {$row.postType}==2}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-						<div class="photo">
-							<a {$row.Effect}><img src="{$row.PhotoURL}" alt="{$row.PhotoAlt}" /></a><br/>
-							<div class="caption">{$row.Caption}</div>
-						</div>
-					</div>
-				{elseif {$row.postType}==3}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-						<div class="quote">
-							<span class="quote"><big class="quote"><a href="{$row.Permalink}">&#147;</a></big> {$row.Quote}</span>
-							<div class="source">&mdash; {$row.Source}</div>
-						</div>
-					</div>
-				{elseif {$row.postType}==4}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-							<div class="link">
-								&#187; <a href="{$row.URL}">{$row.Name}</a>
-							<div class="description">{$row.Description}</div>
-						</div>
-					</div>
-				{elseif {$row.postType}==5}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-						<div class="conversation">
-								...<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
-							{$row.Conversation}
-						</div>
-					</div>
-				{elseif {$row.postType}==6}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-						<div class="video">
-							{$row.Video}
-							<div class="caption">{$row.Caption}</div>
-						</div>
-					</div>
-				{elseif {$row.postType}==7}
-					<div class="post">
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
-						<div class="video">
-							{$row.Mp3}
-							<div class="caption">{$row.Caption}</div>
-						</div>
-					</div>
-				{/if}
-
-			{if !{$id_post}}
-				<div class="totalComments">
-					<h3>Posted by {$row.User} - <a href="{$row.Permalink}#comments">( {$row.Comments_Number} ) comments</a></h3>
-				</div>
-			{/if}
-		{/block}
-
-		{if {$id_post}}
-			<div class="containerComments">
-				<h3 id="comments">{$row.Comments_Number} answers to &#8220;{$row.Post_Title}&#8221;</h3>
-				<ol class="commentlist">
-					{block {$comments} as {$comment}}
-					<li class="alt" id="comment-{$comment.Id_Comment}">
-						<cite>
-							<a href="#comment-{$comment.Id_Comment}" title="Comment permalink">#</a>&nbsp;&nbsp;
-							{$comment.Comment_Author} said:
-						</cite>
-						<br />
-						<span class="timestampComment"> at {$comment.Date}</span><br /><br />
-						{$comment.Comment}
-						<br /><br />
-					</li>
-					{/block}
-				</ol>
-			</div>
-
-			<div class="containerFormComments">
-			<h3 id="respond">Add your comment</h3>
-
-			<form action="{Form_Action}" method="post" name="commentForm" id="commentForm">
-				<p>
-					<label for="username">
-						<small>Name:</small>
-					</label>
-					<input name="username" id="username" value="{whois.User_Cookie}" size="22" tabindex="1" type="text" />
-				</p>
-				<p>
-					<label for="email">
-						<small>E-mail:</small>
-					</label>
-					<input name="email" id="email" value="{whois.Email_Cookie}" size="22" tabindex="2" type="text" />
-				</p>
-				<p>
-					<label for="web">
-						<small>Website:</small>
-					</label>
-					<input name="web" id="web" value="{whois.Web_Cookie}" size="22" tabindex="3" type="text" />
-				</p>
-				<p>
-					<textarea name="content" id="content" cols="100" rows="10" tabindex="4"></textarea>
-				</p>
-				<p>
-					<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;"><a href="http://hobix.com/textile/">Textile</a> syntax is supported.</span>
-				<p>
-					<input type="submit" value="Add comment" name="btnAdd" id="btnAdd" tabindex="5" />
-				</p>
-				<p>
-					<input name="id_post" id="id_post" value="{id_post}" type="hidden" />
-					<input name="comment_date" id="comment_date" value="{Date_Added}" type="hidden" />
-				</p>
-			</form>
-		</div>
-		{else}
-			{pagination}
-		{/if}
-	{/if}
-	</div>
-	<div id="footer">
-		subscribe via <a href="{URL_Tumble}/rss.php">rss</a> &nbsp;/&nbsp;
-		powered by <a href="http://www.gelatocms.com/">gelato cms</a>
-	</div>
-</body>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+	{Gelato_includes}
+    <title>{Page_Title}</title>
+    <!--[if IE]>
+        <style type="text/css">
+            div.post div.quote span.quote big.quote {
+                line-height: 40px;
+            }
+        </style>
+    <![endif]-->
+</head>
+<body>
+    <div id="container">
+        <a href="{URL_Tumble}/rss.php"><img src="{URL_Tumble}/themes/{Template_name}/img/rss.gif" id="rss" alt="RSS" title="RSS" /></a>
+
+        <h1><a href="{URL_Tumble}/">{Title}</a></h1>
+
+            <div id="description">
+                {Description}
+            </div>
+
+		{if {$isAuthenticated}}
+			<div style="padding:4px; border:solid 2px #bbb; display:inline; background-color:#ddd; position:absolute; top:3px; right:3px;">
+				<b>Hi, {User}.</b>&nbsp;&nbsp;
+				<a target="_top" href="{URL_Tumble}/admin/index.php">Add/Edit my posts</a>&nbsp;&nbsp;
+				<a target="_top" href="{URL_Tumble}/admin/close.php">Sign out</a>
+			</div>
+		{/if}
+
+		{if {$error}}
+			<div class="error">{$error}</div>
+		{else}
+			{block {$rows} as {$row}}
+				<div class="date">
+					{$row.Date_Added}
+				</div>
+				{if {$row.postType}==1}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+
+						<div class="regular">
+							<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
+							{$row.Body}
+						</div>
+					</div>
+				{elseif {$row.postType}==2}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+						<div class="photo">
+							<a {$row.Effect}><img src="{$row.PhotoURL}" alt="{$row.PhotoAlt}" /></a><br/>
+							<div class="caption">{$row.Caption}</div>
+						</div>
+					</div>
+				{elseif {$row.postType}==3}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+						<div class="quote">
+							<span class="quote"><big class="quote"><a href="{$row.Permalink}">&#147;</a></big> {$row.Quote}</span>
+							<div class="source">&mdash; {$row.Source}</div>
+						</div>
+					</div>
+				{elseif {$row.postType}==4}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+							<div class="link">
+								&#187; <a href="{$row.URL}">{$row.Name}</a>
+							<div class="description">{$row.Description}</div>
+						</div>
+					</div>
+				{elseif {$row.postType}==5}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+						<div class="conversation">
+								...<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
+							{$row.Conversation}
+						</div>
+					</div>
+				{elseif {$row.postType}==6}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+						<div class="video">
+							{$row.Video}
+							<div class="caption">{$row.Caption}</div>
+						</div>
+					</div>
+				{elseif {$row.postType}==7}
+					<div class="post">
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
+						<div class="video">
+							{$row.Mp3}
+							<div class="caption">{$row.Caption}</div>
+						</div>
+					</div>
+				{/if}
+
+			{if !{$id_post}}
+				<div class="totalComments">
+					<h3>Posted by {$row.User} - <a href="{$row.Permalink}#comments">( {$row.Comments_Number} ) comments</a></h3>
+				</div>
+			{/if}
+		{/block}
+
+		{if {$id_post}}
+			<div class="containerComments">
+				<h3 id="comments">{$row.Comments_Number} answers to &#8220;{$row.Post_Title}&#8221;</h3>
+				<ol class="commentlist">
+					{block {$comments} as {$comment}}
+					<li class="alt" id="comment-{$comment.Id_Comment}">
+						<cite>
+							<a href="#comment-{$comment.Id_Comment}" title="Comment permalink">#</a>&nbsp;&nbsp;
+							{$comment.Comment_Author} said:
+						</cite>
+						<br />
+						<span class="timestampComment"> at {$comment.Date}</span><br /><br />
+						{$comment.Comment}
+						<br /><br />
+					</li>
+					{/block}
+				</ol>
+			</div>
+
+			<div class="containerFormComments">
+			<h3 id="respond">Add your comment</h3>
+
+			<form action="{Form_Action}" method="post" name="commentForm" id="commentForm">
+				<p>
+					<label for="username">
+						<small>Name:</small>
+					</label>
+					<input name="username" id="username" value="{whois.User_Cookie}" size="22" tabindex="1" type="text" />
+				</p>
+				<p>
+					<label for="email">
+						<small>E-mail:</small>
+					</label>
+					<input name="email" id="email" value="{whois.Email_Cookie}" size="22" tabindex="2" type="text" />
+				</p>
+				<p>
+					<label for="web">
+						<small>Website:</small>
+					</label>
+					<input name="web" id="web" value="{whois.Web_Cookie}" size="22" tabindex="3" type="text" />
+				</p>
+				<p>
+					<textarea name="content" id="content" cols="100" rows="10" tabindex="4"></textarea>
+				</p>
+				<p>
+					<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;">
+                    	Some HTML allowed:<br />
+                        &nbsp;&nbsp;&nbsp;&nbsp;
+                        <code>
+                            &lt;blockquote&gt; &lt;code&gt; &lt;em&gt; &lt;strong&gt; &lt;a&gt;
+                        </code>    
+                	</span>
+                </p>
+		  		<p>
+					<input type="submit" value="Add comment" name="btnAdd" id="btnAdd" tabindex="5" />
+				</p>
+				<p>
+					<input name="id_post" id="id_post" value="{id_post}" type="hidden" />
+					<input name="comment_date" id="comment_date" value="{Date_Added}" type="hidden" />
+				</p>
+			</form>
+		</div>
+		{else}
+			{pagination}
+		{/if}
+	{/if}
+	</div>
+	<div id="footer">
+		subscribe via <a href="{URL_Tumble}/rss.php">rss</a> &nbsp;/&nbsp;
+		powered by <a href="http://www.gelatocms.com/">gelato cms</a>
+	</div>
+</body>
 </html>